May 16, 2020

A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars, according to a new alert issued by the U.S. Secret Service.

A memo seen by KrebsOnSecurity that the Secret Service circulated to field offices around the United States on Thursday says the ring has been filing unemployment claims in different states using Social Security numbers and other personally identifiable information (PII) belonging to identity theft victims, and that “a substantial amount of the fraudulent benefits submitted have used PII from first responders, government personnel and school employees.”

“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far,” the Secret Service warned. “The primary state targeted so far is Washington, although there is also evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida.”

The Secret Service said the fraud network is believed to consist of hundred of “mules,” a term used to describe willing or unwitting individuals who are recruited to help launder the proceeds of fraudulent financial transactions.

“In the state of Washington, individuals residing out-of-state are receiving multiple ACH deposits from the State of Washington Unemployment Benefits Program, all in different individuals’ names with no connection to the account holder,” the notice continues.

The Service’s memo suggests the crime ring is operating in much the same way as crooks who specialize in filing fraudulent income tax refund requests with the states and the U.S. Internal Revenue Service (IRS), a perennial problem that costs the states and the U.S. Treasury hundreds of millions of dollars in revenue each year.

In those schemes, the scammers typically recruit people — often victims of online romance scams or those who also are out of work and looking for any source of income — to receive direct deposits from the fraudulent transactions, and then forward the bulk of the illicit funds to the perpetrators.

A federal fraud investigator who spoke with KrebsOnSecurity on condition of anonymity said many states simply don’t have enough controls in place to detect patterns that might help better screen out fraudulent unemployment applications, such as looking for multiple applications involving the same Internet addresses and/or bank accounts. The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.

Elaine Dodd, executive vice president of the fraud division at the Oklahoma Bankers Association, said financial institutions in her state earlier this week started seeing a flood of high-dollar transfers tied to employment claims filed for people in Washington, with many transfers in the $9,000 to $20,000 range.

“It’s been unbelievable to see the huge number of bogus filings here, and in such large amounts,” Dodd said, noting that one fraudulent claim sent to a mule in Oklahoma was for more than $29,000. “I’m proud of our bankers because they’ve managed to stop a lot of these transfers, but some are already gone. Most mules seem to have [been involved in] romance scams.”

While it might seem strange that people in Washington would be asking to receive their benefits via ACH deposits at a bank in Oklahoma, Dodd said the people involved seem to have a ready answer if anyone asks: One common refrain is that the claimants live in Washington but were riding out the Coronavirus pandemic while staying with family in Oklahoma.

The Secret Service alert follows news reports by media outlets in Washington and Rhode Island about millions of dollars in fraudulent unemployment claims in those states. On Thursday, The Seattle Times reported that the activity had halted unemployment payments for two days after officials found more than $1.6 million in phony claims.

“Between March and April, the number of fraudulent claims for unemployment benefits jumped 27-fold to 700,” the state Employment Security Department (ESD) told The Seattle Times. The story noted that the ESD’s fraud hotline has been inundated with calls, and received so many emails last weekend that it temporarily shut down.

WPRI in Rhode Island reported on May 4 that the state’s Department of Labor and Training has received hundreds of complaints of unemployment insurance fraud, and that “the number of purportedly fraudulent accounts is keeping pace with the unprecedented number of legitimate claims for unemployment insurance.”

The surge in fraud comes as many states are struggling to process an avalanche of jobless claims filed as a result of the Coronavirus pandemic. The U.S. government reported Thursday that nearly three million people filed unemployment claims last week, bringing the total over the last two months to more than 36 million. The Treasury Department says unemployment programs delivered $48 billion in payments in April alone.

A few of the states listed as key targets of this fraud ring are experiencing some of the highest levels of unemployment claims in the country. Washington has seen nearly a million unemployment claims, with almost 30 percent of its workforce currently jobless, according to figures released by the U.S. Chamber of Commerce. Rhode Island is even worse off, with 31.4 percent of its workforce filing for unemployment, the Chamber found.

Dodd said she recently heard from an FBI agent who was aware of a company in Oklahoma that has seven employees and has received notices of claims on several hundred persons obviously not employed there.

“Oklahoma will likely be seeing the same thing,” she said. “There must be other states that are getting filings on behalf of Oklahomans.”

Indeed, the Secret Service says this scam is likely to affect all states that don’t take additional steps to weed out fraudulent filings.

“The banks targeted have been at all levels including local banks, credit unions, and large national banks,” the Secret Service alert concluded. “It is extremely likely every state is vulnerable to this scheme and will be targeted if they have not been already.”

Update, May 16, 1:20 p.m. ET: Added comments from the Oklahoma Bankers Association.

147 thoughts on “U.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs

  1. James Lawless

    State systems are indeed obsolete. Before the pandemic, the UI was so small, it wasn’t worth the time. Why if you have IRS which is wide open for the last 15 years at least. Now when states spit out $1000 it’s a whole different ballgame. Prepare to see the Fed take at least a B1$ hit on this.

    1. BrianKrebs Post author

      Many of these fraudulent filings are for way more than $1,000, James. From the story:

      Elaine Dodd, executive vice president of the fraud division at the Oklahoma Bankers Association, said financial institutions in her state earlier this week started seeing a flood of high-dollar transfers tied to employment claims filed for people in Washington, with many transfers in the $9,000 to $20,000 range.

      “It’s been unbelievable to see the huge number of bogus filings here, and in such large amounts,” Dodd said, noting that one fraudulent claim sent to a mule in Oklahoma was for more than $29,000. “I’m proud of our bankers because they’ve managed to stop a lot of these transfers, but some are already gone. Most mules seem to have [been involved in] romance scams.”

      1. James Lawless

        Criminals are possibly using the same mules for multiple claims, this was also the case during the early days of IRS scams, until the Treasury prevented one account from receiving more than 3 returns. State UI systems are not connected with each other and I doubt that the individuals state systems even prevent several claims from being deposited into the same account.

      2. JR

        In order for this to happen the bad actors have access to HR records. They had to match up employees to employers and have both the SS# and EIN# and copy of W2 or pay statement. They also had to know the exact amount of monthly earnings and it had to match the State’s tax department records. Also they had to have the home address of the employee and the payroll address of the employer. This means they have access to HR data. Find the contracting company that handles HR data and designed these unemployment systems and you’ll find your leak. I bet someone left a bucket open for $$. We’ve outsourced ourselves to death.

        1. Another JR

          Not in Washington. Once you create an account with name, SSN and address, you can access your records for the last 15 years. Employer, total hours worked, total pay for every quarter.

      3. Charmaine

        Who is really getting hurt here is Washington residents like me . Who the system has failed them and when June 4 th hits I will be homeless because of this failure. I am entitled to UI but yet my daughter and I are suffering and no one knows anything .

  2. Andrew Rossetti

    We’ve seen a few of these fraudulent ACH’s at our bank as well. All from Washington.

    1. Donna Luzier

      Are you able to tell me what description shows for an ACH deposit of unemployment benefits from the state of Washington?

      In Ohio the description is ODJFS.

      Thank you.

      1. Andrew Rossetti

        The description read:

        UI Benefit WA ST

          1. Jason

            Curious if there is a repository for all the various states unemployment descriptions. I am at a fintech firm that processes ACH and we are also seeing these same instances of name mismatch +UI achs from states that they do not reside in.

            1. Donna Luzier

              Jason, I’m not aware of one, but a search including “UI Benefit” yielded some results for me.

      2. Christine Whitcraft

        Thank you for submitting Ohio’s, does anyone know Oklahoma’s or Rhode Islands?

  3. Drew More

    My partner works for a five thousand employee organization in Seattle, Washington. Her boss told her that the HR department has reported several hundred employees that have observed that unemployment claims have been made in their names.

  4. Noel Wade

    The weak link here in WA appears to be the (ironically-named) “Secure Access Washington” (SAW) system. Its a unifying login/account system that was implemented to try to make it easier for residents to access various state government websites – rather than having a separate login for each State bureau/department’s site.
    Unfortunately creating a “SAW” account doesn’t require a lot of PII, but then once you have a SAW account its pretty easy to use this “universal” login to access lots of government services, from Employment-Security, to the Dept of Licensing, to the Dept of Revenue and more.
    To this IT veteran’s eyes, its a classic case of focusing solely on a request/objective and not actually thinking through the use-cases and scenarios of the system they were architecting.

  5. DD

    I learned that I’m both a victim of ID Theft from a fraud unemployment claim in WA, but there was also a Green Dot bank account falsely opened in my name.

    1. Sarah Holt

      The same thing happened to me. What did you do to find out information about your green dot account?

      1. Mark Schurer

        Same got notice from green dot today – walmart card. Call to talk to someone – cannot get a voice. Account has been closed before I even called according to automated system. Also got Samsung financing notifications and Comenity/Overstock credit card notices. Froze all credit a few minutes ago. 🙁

    2. Dan

      Ah. I just posted an update about the same thing happening to one of my co-workers. Such a PITA.

  6. Deanna Stearns

    I’m one of the impacted – not unemployed (yet?) – and based on my organization’s impact as well as those in my network, the WA ESD director’s estimate of 700 fraudulent claims is grossly underestimated. Our system is literally shut down, and for those of us who have had to have our accounts frozen due to the fraud, if we find ourselves in need of UI benefits it’s going to be an even bigger mess. I am unable to access any state sites now, and have to go to extraordinary lengths to prove who I am before I can again.
    This ring had to have had quite a lot of PII and undertaken data mining efforts to be able to hijack existing accounts as well as create new ones (there’s evidence of targeting higher earning individuals first – get the big bucks quick and disappear). If it weren’t for the ESD system communication preferences breaking down and sending me an actual letter in the USPS, I would have been none the wiser until all of the funds were depleted – and they were sent to a debit card, so there’s likely no recovering those funds.

  7. John Clark

    I have been trying to warn people for some time that there are scammers claiming to be staffing executives. The scammers have set up web sites with hosting services in the US. The scammer uses email accounts with domain addresses that match the web site address (just like real staffing companies).

    They get their targets to go through an online and phone interview process. Very similiar to real staffing companies. The scammer then tells the target that their Social Security and DOB are required to submit to the client company. The scammers combine that information along with other information that they pull from free sites like familytreenow dot com. That information includes the targets’ previous addresses and phone numbers. All needed to set up bank accounts and pass credit report security questions.

  8. vb

    It should be forbidden to use SSN in systems that are unrelated to the ” Old-Age, Survivors, and Disability Insurance (OASDI) program”. The Social Security Administration identifier should only be used by the Social Security Administration.

    All those state programs should be using their own identifier. Is it really that hard? Isn’t it obvious by now?

  9. Jobani

    Is there any way for me to check if a bad actor has filed an UI claim on me, other than by calling my state’s unemployment insurance office? I tried calling but could get through to anyone.

    It would be great if there was an online tool to verify status of UI claims similar to the tax refund status tool that the IRS has.

    1. jabulani

      Best way I’ve heard is to just register for an account on the WA gov unemployment website. If you already have a legit account, recommend you check your claim history and rotate password. If you never had an account, creating one will verify if your SSN was used for a previous account (created by a fraudster).

  10. Michael

    If you are reading this and are a victim, please look into adding fraud alerts or freezes to your credit reports with the 3 major bureaus. This will give you another layer of protection in that area for the time being. Take action with your finances by separating your personal social email from your financial institutes and create exclusive email accounts for those. Find a monitoring service that will alert you to activity on credit reports etc… You are a victim and your information is available to criminals. Do not deny this and take the aforementioned recommendations seriously.

    1. Kevin Gleason

      Thank you for that link. As a California resident, I had never seen that information before.

  11. Samer

    So how do I know if someone claimed unemployment in my name?

  12. Curious1

    I’m curious about how the money flow works for this scam. I can understand how it’s easy to get PII and then open or take over an existing account for someone at secure access wa. I can understand how you can do this on a large scale, however the payout per account can only be somewhere in the range of $1000 – $1500 per week (wag) These funds get direct deposited into someone’s (duped mule?) account and then would have to be transferred from there to somewhere else. In the article transfers in the range of $9000 – $20000 were mentioned. So those must be accounts that are having multiple consolidated false claims transferred to them? Is it not possible to check destination account numbers and flag any accounts belonging to more than 10 or however many claims? And then the criminals must move the money quickly, but most likely in denominations less than $10000? I’m very curious about the details of how the money is actually moved out. I’m surprised banks just don’t reverse the transfers? I’m ignorant of these types of details but appreciate anyone who can shed more light on how this works.

    1. Christine Whitcraft

      If the deposits are not caught in enough time, the mules will purchase gift cards, bit coin, or send cash. This does appear to be a romance scam.

      1. Charmaine Martin

        Exactly the funny thing is I have bitcoin so I am constantly watching any news related to it . Well what do you know purchasing of bitcoin is up to record highs . Smh

    2. Charles

      In Massachusetts the benefit amounts are indeed on the order of $1,000 to $1,500 per week; but due to a delay in setting up the system for people affected by the pandemic, one could apply for several weeks retroactively. Each week’s benefit is paid in a separate transaction, but the initial payment was for several retroactive weeks, with multiple transfers all paid on the same day. That would easily explain a $9,000 amount, but not the $29,000.

      1. Beth

        I agree my poor son had to wait weeks to be denied for regular ui benefits and he applied for pandemic and because it was retroed back to his file date he had a deposit over 7,000 and the credit union he banks with called him saying it was from a fraudulent site and froze his account and it’s an actual real claim from the state of mass government website and they say they have to investigate because most of the fraudulent cases have been makes from age 17 to 22 and my son is 21. Like really I’m so pissed we r closing that account as soon as they un freeze his completely legal funds he recieved and they are loosing mine and my wife’s business as well of almost 10 years. What a sham to make my son look like a criminal because of a scam completely not pertaining to this mule crap except an amount over 7K.

    3. Andrew

      There is a backlog for payments. We’re seeing they either have multiple false claims or the unemployment system has been behind and most are getting a large catch-up payment of 6-8 weeks of payments.

    4. Mark A

      Having worked bank fraud I can tell you. Ever get a work from home email? You process client payments for us and keep 10%?? Then the “mule” sends money to an account in a country that doesn’t allow reversal, like Uzbekistan and it is immediately swept to another country from there. the bank reverses the transaction and the money is NOT in the mules account of else the mule takes the loss. for smaller amounts they have them send cash, Western Union, or buy bitcoin. These people really think the made a fast 10%

  13. Andy

    I’m in Oklahoma and the problem is much more rampant than I think has been conveyed. I was hit, my coworker’s wife and one of her friends was hit. My other coworker’s daughter was as well. My employer has received hundreds of claims.

    Anyways, they mailed a debit card before anything was verified. I don’t know how they exploit that remotely.

  14. WeBeScrewed

    Based on my experience, number of false claims in Washington must be in 10’s if not 100’s of thousands by now.

    If you live in washington state:
    Go to site. Register for a user account. You will go through an activation procedure. They will email you an activation email and follow the instructions.
    Once that is done, login to system. Under “Eservices” select “for Yourself” option where you are selecting that your an an unemployment claimant, a job seeker or want to lookup past wages.
    Next it will ask you to verify your identity, click the verify your identity button and answer the questions. All it asks are weak questions like social, legal name, birthdate, mailing address, etc. (WHICH IS THE PROBLEM) then hit next.
    If someone has already signed up for benefits in your name with an account it will tell you your SSN is already associated with an account and show you a partial email address. And gives you a number to call if you think its fraud.
    If you don’t get a warning then in theory you now have an account on the ESD website and someone else can’t file an electronic claim through the system in your name. You can verify no one has processed claims in your name by going to “My accounts” and selecting “Apply for payment benefits or manage your current and past claims” and it should list any claims in your name.

  15. Sam

    Am I an idiot or I’m missing something?
    Why person in their right mind would accept someones transfer on account under their legal name? so they could easily be tracked…
    Or people who accept this fraudulent transactions are almost never punished?
    I just don’t understand and see the point, because they all are recorded and can be caught (I mean mules)

    1. BrianKrebs Post author

      Because they don’t think they’re doing anything wrong. Read the bit about the romance scams. The mules are mainly people who are being told they’re receiving money on behalf of their significant other whom they only met online. I know, that may sound crazy, but there are countless lonely people who get preyed upon in these romance scams that can be strung along for a long time to do stuff like this.

      1. Sam Simon

        Hm, I think i got it.
        So scammer (pretend to be a girl) tell these people, “she” needs to sent them money to their account for some reason, and then, ask them to send this money back to her via WU?

        1. TheFed

          Actually, it’s just as likely for a man to be victimized by a romance scam as it is a woman. I saw a forum once where a large number of women were all talking about how they’d been scammed, not once, but several times, and for very large sums in some cases. We’re all human. These scams are getting much worse. I can’t believe that “nothing” can be done about it. I got two scam calls today, one on my cell phone and one on a land line phone. It never ends.

    2. Vicki

      The world is filled with sad, lonely people who fall in love with someone who posts a fake photo of an attractive person and continuously send messages of profound love and devotion. I see it where I work (banking). We tell them they are the victim of a scam and they refuse to believe it. We shut down their ability to send wires, use checks, use a debit card and they will simply withdraw money and go down the street and wire it to their beloved. When they run out of money and get dumped they come back and blame us for not working hard enough to convince them that they were a scam victim. It’s frustrating.

      1. TheFed

        In some cases women are used for this, often very attractive women, but they are not doing it by choice. There is one group in Africa somewhere that has women held captive and all they do all day is skype or facebook looking for lonely men they can victimize. “I lost my phone, can you send me money? Otherwise you can’t see me anymore”. Or the old they take off their cloths and they want you to do the same, and then they blackmail you into sending money otherwise they’ll send a copy of the video to everyone in your facebook friends list. Etc etc It’s only getting worse!

      2. Robin H. Beeson

        @Vicki Please do not give up trying to stop them. You are alone in the banking service because most banks could not care less. Even with sufficient evidence given to bank security for arrest and with witnesses willing to cooperate – the most action taken is just to close the offender’s account.

        I have been involved in international law enforcement since my retirement and done everything to stop scammers with 19 arrests made with my help in Ghana and other countries. For Brian’s information most of the Nigerians are working out of Ghana.

        Please Vicki – do not give up and encourage others to do the same as your wonderful self

  16. Dan

    We’ve had at least 50 people at work hit with the unemployment fraud.
    Interesting update, one of my co-workers just passed on to me. Today he received a Walmart Money Card issued by Green Dot bank in the mail. He did not apply for this. What is more strange is the Card was addressed to a fictional residence on his street but not his proper address. Mail handler just happened to deliver it after recognizing his name.

    My friend called Walmart and CS rep indicated “all she has been doing is canceling these cards since Monday.” The card was opened the same day that he had a fake unemployment claim filed in WA in his name. So this appears to be one of the avenues they are using to deposit the funds from the fraudulent claims. I think Walmart/Green Dot was allowing funds to traverse the account after it was setup and before the debit card was activated by the “account holder”. Essentially eliminating the need for a US-based mule perhaps.

  17. Tim

    Got an email today from ohio. Bad news their system was insecure and they exposed all my personal info along with hundreds of thousands of others… (pua unemployment)

  18. Roy

    Is this why benefits are frozen in Massachusetts right now and a lot of people’s status is pending saying that benefits will not be paid this week until an issue is resolved with no letter in our box?

    1. Tom

      I’m having the same problem in Massachusetts. My check just stopped and I had to send all sorts of documents to prove my identity. It’s been over a week and still says “Pending”

  19. WA CFO

    This whole fiasco could be avoided if states took their instruction from the banking industry and instituted a “positive pay” system where employers were required to report when an employee separates for any reason. Ironically WA state requires that we report all new hires within 20 days of hire so they can chase them down for back child support ( If employers were required to use this same system to report separations within a couple of days, the state would have a list to compare to when an unemployment claim was filed. Any discrepancies would be immediately followed up on and no claims paid until resolved.

  20. oscar b guerra

    My EDD account was hacked in CA the week of May 4. There was no “skimmer” attached to the BofA ATM located in a strip mall away from the bank. I seemed to remember a guy in his car nearby with a laptop, whether coincidence or not. My wife and I attempted to withdraw $1,000 from the $1,700 balance, and the ATM said “Unable to complete this transaction at this time.” We were then able to withdraw $600, leaving $1,100 in the account. Three days later, when we went back to the ATM, the balance was $100. Bank investigators determined fraud and closed the account and opened a new one with the funds restored. But they never explained how the money was stolen.

  21. Robert Costa

    So, here we have a WA state website that has poor security.
    Can someone tell me why in that case I should register and associate my SSN with my name, email, mailing address, birth date, etc on the insecure site?
    How do we know the system isn’t compromised? Why trust it at all?
    By providing all this information you help any scammer that gets ahold of it. The last thing we should do is help the Nigerian scammers.

    1. JCitizen

      With all the breaches going on that Brian reports on; the crooks already know enough about you to create this account without you knowing it. So 9 times out of 10 (depending on state) you are better off creating it yourself, and password protecting it, so that at least you can monitor it for fraud. Also it makes it harder for the crooks (usually) because they would have to break your password; or get past 2nd factor authentication. So I’d say you are always better off to at least create the account, even if you never use unemployment claims.

  22. Rich M.

    Now I understand why I’m broke, waiting for my unemployment check, with no gas in my generator. I live in an old motorhome in the industrial district of Seattle. covid really did hit Seattle hard, lemme tell ya. I felt so blessed that our society was taking care of me with that extra $600 per week. Things were looking up. Finally able to get a handle on my debts and stay afloat while I struggle to find work and re-stabilize my life. And then this happens, and throws a wrench in my whole financial situation.

    Please Washington. Please get this figured out and send the ACH. I’m out of food stamps, I’m out of cash, and I don’t know what to do. 🙁

  23. MissK

    I work at a financial institution and we have returned 84 deposits for almost $150K from the unemployment offices in Washington, Massachusetts, Arizona, Ohio, and Pennsylvania. This represents only 19 claimants. In most of the cases these were deposits coming into accounts where the beneficiary name (claimant in this case) did not match the account name. We return those at all times so most of the fraud was returned before hitting the accounts. In two of the cases multiple state’s deposits tried to go into their accounts and then they ultimately ended up getting deposits that were in their name. Meaning that the fraudster ended up also filing in our customer’s name. One of those was from Arizona – a place our customer has never lived or worked. And one was from Ohio – a place our customer does live and work but did not file for unemployment as he’s retired.
    The customer that got deposits from Arizona thought the deposits were for ‘assistance with funeral expenses’ that he had applied for online. The other customer (lives/work Ohio – Ohio unemployment) I believe was compromised in a romance scam.

    Washington Unemployment comes in with Company Name WA ST EMPLOY SEC and a company ID of 1911762161.

    Massachusetts comes in with Company Name MA DUA and a company ID of C046002284. We are also getting I046002284 but all of those have been legitimate.

    Arizona comes in with Company Name STATE OF ARIZON

    1. MissK

      Accidentally hit Enter without finishing last post…oops.

      Pennsylvania comes in with Company Name COMM OF PA UCD and company ID 1031301024

    2. MissK

      Arizona comes in with Company Name STATE OF ARIZONA with a company ID of 8660047930

      1. Ultra

        What happens to the ones who were tricked in “Online Romance”? If they used the money, and what happens if they didn’t?

      2. Ultra

        What happens to those involved in “Online Romance” if they spend the money?

  24. Stratocaster

    Now the states know where they can find their next pool of COBOL programmers for their legacy systems.

  25. The Sunshine State

    Another great informative article !

  26. DelilahTheSober

    I just checked to see if there was any way to proactively create an account with the EDD in my state in order to prevent fraud. As far as I can tell, there isn’t, and there should be, just as I have proactively registered online accounts with both the Social Security Administration as well as the IRS.

    Although there aren’t any 2020 employment records posted yet on the Social Security website, I was able to quickly glance over my taxed earning records for the previous decades of my life and make sure that there was nothing posted that shouldn’t be there.

  27. Stephane

    Could this be possible solutions, I dont know US systems?
    1. All states sent to an intermediate bank account/number that filter ‘duplicates’
    2. Receiving Banks implement a test similar to: if received from State Account several times for same accounts, block/warn.

  28. Cynthia J

    So what do those of us do while they verify our identity and we get no benefits going on week number 2? I have no money for rent and can’t get any information about the situation. Does anyone know how long it’s going to take because here in Washington it’s been 10 days not 2!

    Need help or answers

Comments are closed.